Descendant called Duqu designed for remote-access data theft, not ruining SCADA apps

ITworld|October 19, 2011

Stuxnet, the virus some researchers called the smartest virus ever written, has apparently spawned a second generation designed to infiltrate specific organizations and steal specific types of data using sophisticated remote data access functions the original lacked.

It shares "a great deal of code with Stuxnet," but the payload and apparent goals are far different, according to Symantec.

Rather than infiltrating and destroying industrial systems such as those in Iran's nuclear-fuel development sites, at which Stuxnet was aimed, Duqu is designed to create covert remote access to systems it attacks.

Duqu is a remote-access Trojan (RAT) that doesn't replicate itself to other systems after successfully infiltrating one.

Instead it uses a custom-developed command-and-control protocol to communicate via HTTP and HTTPS with its control servers and to download other data-stealing apps it uses to collect information at which it is directed.

Once it has collected the data it wants, Duqu encrypts the stolen bits and creates fake JPG files and upload the stolen data under cover of the dummy image files.

It's designed to run for 36 days after installation, then automatically remove itself, according to Symantec.

Duqu first showed up Sept. 1 of this year, but may have been in the wild as early as December of 2010 – according to metadata within the malware identifying the time it was compiled.

Symantec found two variants of the main code, but warns in its report that others may be attacking other organizations without having been detected so far.

Symantec researchers couldn't tell if Duqu was written by the same authors as Stuxnet. If it wasn't the same group, it was another that had access to the source code, not just the active binaries retrieved from victims.

The authors are at least as sharp as those who created Stuxnet, according to Vikram Thakur, principle security response manager for Symantec.

Symantec couldn't determine how Duqu inserted itself in victimized systems, but did say it was just as sophisticated as Stuxnet.